Sorry, there was a problem.

How to Store Your Paper and EMR Records While Staying HIPAA-Compliant

By Patricia Chaney / January 21, 2016

As you gain more patients, you also gain more records -- and that means more information that has to be stored, secured, and easily retrieved. You have a mix of paper records taking up valuable office space and electronic records that need ever-increasing hard-drive storage space. Not to mention, all internal, external, and cloud-based storage needs to be HIPAA-compliant. It's tough to decide the best way to manage your needs: internally, externally, or a combination of both?

Considerations for Records Storage

Volume of records and IT budget are likely your top two considerations when deciding whether to keep your records stored and backed up internally or to let an outside company do it for you.

When evaluating volume, it helps to have a document-retention schedule in place. The American Health Information Management Association recommends having guidelines for what health information is retained, for how long, and by what means. Also, you should have policies for appropriately destroying records that you no longer legally need to retain.

As far as HIPAA compliance when it comes to storage, you need to have a backup plan and a recovery plan. The law requires that you "establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." You must also have procedures to "restore any loss of data," such as from emergencies or natural disasters.

If your records volume is small, you have an adequate IT budget, and you have knowledgeable staff to handle your paper and electronic health documents, then you may be able to oversee these tasks internally. However, if the volume of information and security requirements feels overwhelming, you have options for using third-party services for some or all of your documents.

How to Handle Paper Records

You need to be able to easily retrieve your paper records, particularly older files. Large filing cabinets may be taking up office space that could be used for other purposes.

Having an external location to store your paper records can be costly when doing it on your own. Document-storage companies give you a range of services to choose from that may fit more easily into your budget. They can physically store your records at a protected location, retrieve files for you, and scan all or some of your files when you need them.

What to Do About Electronic Storage

Your EMR may not take up the physical office space that your paper records once did, but the demand for storage space for these files will only grow. Do you manage your backups internally, or is it time to consider looking outside your practice for HIPAA-compliant backup storage?

The costs of a third-party service may seem high at first, but be sure to consider that against the obvious and hidden costs of doing it yourself. First, you'll need to make ongoing investments in your storage capacity. This can lead to increased costs because you'll need a large enough server room and utility bills to power and cool your hardware.

In addition, hardware has about a five-year life span, so you will need to budget for replacing these tools regularly. During the replacement process, HIPAA has requirements for ensuring that you maintain the integrity of the data as you move it across systems. For your backup and disaster recovery plans, best practices recommend that you keep your backups stored at a secure location away from your campus. This can simply be backup tapes that you keep stored at another site, or backups to the cloud.

Cloud storage providers offer a range of options from simple backup to more in-depth services and recovery guarantees. You still retain ownership of your files and can access them at any time, but by using a third-party service, you don't need to hire IT experts, nor do you need a large storage capacity within your office. You have the company's expertise in complying with laws and regulations as they change. With a subscription service, you'll know exactly how much to budget every month.

Ultimately, as the physician, you own these documents and are responsible for their security and integrity. It's a complex job, and you may need to outsource at least part of it, especially if you don't have access to the IT resources of a large medical center. When choosing any vendor, do a thorough evaluation to ensure that its facilities, processes, procedures, and technology are all HIPAA-compliant.

Patricia Chaney is a freelance writer specializing in the health care industry. She has nearly 10 years of experience interviewing leaders in cancer care, writing for providers and executives, and covering health care reform. Patricia has a passion for quality health care, natural health, fitness, and food.